Remove the mail and stats templates as they're out of date by now, and add http2 to the main REPLACEME.TLD.conf

2024-07-23 13:09:39 -04:00 · 2024-07-23 13:09:39 -04:00 · 2d37d26e28
commit 2d37d26e28
parent c44af7bde7
3 changed files with 1 additions and 188 deletions
--- a/nginx/sites-available/REPLACEME.TLD.conf
+++ b/nginx/sites-available/REPLACEME.TLD.conf
@ -19,6 +19,7 @@ server {
    listen 443 ssl;
    server_name REPLACEME.TLD;
    root /srv/http/REPLACEME.TLD/public;
+    http2 on;

    ssl_certificate /etc/letsencrypt/live/REPLACEME.TLD/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/REPLACEME.TLD/privkey.pem;
--- a/nginx/sites-available/mail.REPLACEME.TLD.conf
+++ b/nginx/sites-available/mail.REPLACEME.TLD.conf
@ -1,93 +0,0 @@
-# ROUNDCUBE CONFIGURATION
-
-server {
-    listen      80;
-    server_name mail.REPLACEME.TLD;
-    return      301 https://mail.REPLACEME.TLD$request_uri;
-}
-
-server {
-    listen      443 ssl;
-    server_name mail.REPLACEME.TLD;
-    root        /usr/share/webapps/roundcubemail;
-
-    ssl_certificate         /etc/letsencrypt/live/REPLACEME.TLD/fullchain.pem;
-    ssl_certificate_key     /etc/letsencrypt/live/REPLACEME.TLD/privkey.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/REPLACEME.TLD/fullchain.pem;
-
-    ssl_session_timeout 1d;
-    ssl_session_cache shared:SSL:50m;
-
-    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
-    # Generate with: openssl dhparam -out /etc/nginx/dhparam.pem 4096
-    ssl_dhparam /etc/nginx/dhparam.pem;
-
-    # Mozilla "Intermediate configuration" copied from https://mozilla.github.io/server-side-tls/ssl-config-generator/
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
-    ssl_prefer_server_ciphers on;
-
-    # OCSP Stapling: fetch OCSP records from URL in ssl_certificate and cache them
-    ssl_stapling on;
-    ssl_stapling_verify on;
-
-    # Protect against XSS and clickjacking
-    add_header X-Frame-Options "SAMEORIGIN";
-    add_header X-XSS-Protection "1; mode=block";
-
-    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
-    add_header Strict-Transport-Security max-age=15768000;
-
-    index   index.php;
-    charset utf-8;
-
-    include /etc/nginx/h5bp/basic.conf;
-
-    location / { try_files $uri $uri/ /index.php?$query_string; }
-
-    location ~ ^/webmail/favicon.ico$ {
-        root /usr/share/webapps/roundcubemail/skins/classic/images;
-        log_not_found off;
-        access_log off;
-        expires max;
-    }
-
-    location ~ ^/webmail/robots.txt {
-        allow all;
-        log_not_found off;
-        access_log off;
-    }
-
-    location ~ ^/webmail/(config|temp|logs)/ {
-         deny all;
-    }
-
-    location ~ ^/webmail/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
-        deny all;
-    }
-
-    location ~ ^/webmail/(bin|SQL)/ {
-        deny all;
-    }
-
-    location ~ ^/webmail/(.+\.md)$ {
-        deny all;
-    }
-
-    location ~ ^/webmail/\. {
-        deny all;
-        access_log off;
-        log_not_found off;
-    }
-
-    location ~ \.php$ {
-        fastcgi_split_path_info ^(.+\.php)(/.+)$;
-        fastcgi_pass            unix:/run/php-fpm/php-fpm.sock;
-        fastcgi_index           index.php;
-        include                 fastcgi.conf;
-    }
-
-    location = /favicon.ico { access_log off; log_not_found off; }
-    location = /robots.txt  { access_log off; log_not_found off; }
-    location ~ /\.ht { deny all; }
-}
--- a/nginx/sites-available/stats.REPLACEME.TLD.conf
+++ b/nginx/sites-available/stats.REPLACEME.TLD.conf
@ -1,95 +0,0 @@
-# MATOMO CONFIGURATION
-
-server {
-    listen      [::]:80;
-    listen      80;
-    server_name stats.REPLACEME.TLD;
-    return      301 https://$host$request_uri;
-}
-
-server {
-    listen      [::]:443 ssl;
-    listen      443 ssl;
-    http2       on;
-    server_name stats.REPLACEME.TLD;
-    root        /srv/http/stats.REPLACEME.TLD;
-
-    access_log  /var/log/nginx/matomo.access.log;
-    error_log   /var/log/nginx/matomo.error.log;
-
-    ssl_certificate         /etc/letsencrypt/live/REPLACEME.TLD/fullchain.pem;
-    ssl_certificate_key     /etc/letsencrypt/live/REPLACEME.TLD/privkey.pem;
-    ssl_trusted_certificate /etc/letsencrypt/live/REPLACEME.TLD/fullchain.pem;
-
-    ssl_session_timeout 1d;
-    ssl_session_cache shared:SSL:50m;
-
-    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
-    # Generate with: openssl dhparam -out /etc/nginx/dhparam.pem 4096
-    ssl_dhparam /etc/nginx/dhparam.pem;
-
-    # Mozilla "Intermediate configuration" copied from https://mozilla.github.io/server-side-tls/ssl-config-generator/
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
-    ssl_prefer_server_ciphers on;
-
-    # OCSP Stapling: fetch OCSP records from URL in ssl_certificate and cache them
-    ssl_stapling on;
-    ssl_stapling_verify on;
-
-    add_header Referrer-Policy origin always;
-    add_header X-Content-Type-Options "nosniff" always;
-    add_header X-XSS-Protection "1; mode=block" always;
-
-    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
-    add_header Strict-Transport-Security max-age=15768000;
-
-    index   index.php;
-    charset utf-8;
-
-    location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php {
-        include fastcgi.conf;
-        fastcgi_param HTTP_PROXY "";
-        fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
-    }
-
-    location ~* ^.+\.php$ {
-        deny all;
-        return 403;
-    }
-
-    location / {
-        try_files $uri $uri/ =404;
-    }
-
-    location ~ /(config|tmp|core|lang) {
-        deny all;
-        return 404;
-    }
-
-    location ~ /\.ht {
-        deny  all;
-        return 403;
-    }
-
-    location ~ js/container_.*_preview\.js$ {
-        expires off;
-        add_header Cache-Control 'private, no-cache, no-store';
-    }
-
-    location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ {
-        allow all;
-        expires 1h;
-        add_header Pragma public;
-        add_header Cache-Control "public";
-    }
-
-    location ~ /(libs|vendor|plugins|misc/user) {
-        deny all;
-        return 403;
-    }
-
-    location ~/(.*\.md|LEGALNOTICE|LICENSE) {
-        default_type text/plain;
-    }
-}